Prerequisites
Ensure that you adhere to the following prerequisites while building your Teams personal and channel or group tab:
Enable discovery of your tab pages in an iFrame by utilizing X-Frame-Options and Content-Security-Policy HTTP response headers.
Ensure that all Teams app pages are hosted on HTTPS endpoints.
Set Content Security Policy headers to allow Teams and any other host applications of your app:
Microsoft 365 app host frame-ancestor permission All hosts (New) *.cloud.microsoft
Teams teams.microsoft.com
,*.teams.microsoft.com
Microsoft 365 app *.microsoft365.com
,*.office.com
,Outlook outlook.office.com
,outlook.office365.com
,outlook-sdf.office.com
,outlook-sdf.office365.com
Warning
Microsoft's cloud services, including web versions of Teams, Outlook, and Microsoft 365 domains, are migrating to the
*.cloud.microsoft
domain. Perform the following steps before September 2024 to ensure your app continues to render on supported Microsoft 365 web client hosts:Update TeamsJS library to v.2.19.0 or later. For more information about the latest release of TeamsJS, see Microsoft Teams JavaScript client library.
If you've defined Content Security Policy (CSP) headers for your app, update the frame-ancestors directive to include the
*.cloud.microsoft
domain. To ensure backward compatibility during the migration, retain the existingframe-ancestors
values in your CSP headers. This approach ensures that your app continues to work across both existing and future Microsoft 365 host applications and minimizes the need for subsequent changes.
Update the following domain in the
frame-ancestors
directive of your app's CSP headers:https://*.cloud.microsoft
Note
To host the other Teams or Microsoft 365 apps within your app, upgrade your app to a Microsoft 365 environment. If you manage the app running in the nested frame, you can update its code to initialize the SDK by specifying your domain. This allows your nested frame to act as a proxy to Teams.
For Internet Explorer 11 compatibility, set
X-Content-Security-Policy
. Alternately, set headerX-Frame-Options: ALLOW-FROM https://teams.microsoft.com/
. This header is deprecated but most browsers still accept it.Sign-in pages don't render in iFrames as a safeguard against clickjacking. Your authentication logic needs to use a method other than redirect. For example, use token-based or cookie-based authentication.
Note
It is recommended that you set the intended use for your cookies rather than rely on default browser behavior. For more information, see SameSite cookie attribute.
Browsers same-origin policy restriction prevents webpages from making requests to different domains than the served web page. So, you can redirect the configuration or content page to another domain or subdomain. Your cross-domain navigation logic needs to allow the Teams client to validate the origin against a static
validDomains
list in the app manifest when loading or communicating with the tab.Style your tabs based on the Teams client's theme, design, and intent. Tabs work best when built to address a specific need and focus on a small set of tasks or a subset of data that is relevant to the tab's channel location.
Within your content page, add a reference to Microsoft Teams JavaScript client library using script tags. After your page loads, make a call to
app.initialize()
, or else your page isn't displayed.For authentication to work on mobile clients, you must upgrade to TeamsJS version 1.4.1 or later.
If you choose to have your channel or group tab to appear on Teams mobile client, the
setConfig()
configuration must have a value for thewebsiteUrl
property.Microsoft Teams tab doesn't support the ability to load intranet websites that use self-signed certificates.
Note
This topic reflects version 2.0.x of the Microsoft Teams JavaScript client library (TeamsJS). If you are using an earlier version, refer to the TeamsJS library overview for guidance on the differences between the latest TeamsJS and earlier versions.
Tools to build tabs
Install | For using... | |
---|---|---|
Required | ||
Node.js | Back-end JavaScript runtime environment. Use the latest v16 LTS release. | |
Microsoft Edge (recommended) or Google Chrome | A browser with developer tools. | |
Visual Studio Code | JavaScript, TypeScript, or SharePoint Framework (SPFx) build environments. | |
Visual Studio 2022, ASP.NET and web development workload | .NET. You can install the free community edition of Visual Studio 2022. | |
Git | Git to use the sample apps repo from GitHub. | |
Microsoft Teams | Microsoft Teams to collaborate with everyone you work with through apps for chat, meetings, call - all in one place. | |
ngrok | Ngrok is a reverse proxy software tool. Ngrok creates a tunnel to your locally running web server's publicly available HTTPS endpoints. Your server's web endpoints are available during the current session on your computer. When you shut down or put your device to sleep, the service is no longer available. | |
Developer Portal for Teams | Web-based portal to configure, manage, and distribute your Teams app including to your organization or the Microsoft Teams Store. |
Build your Teams tab
Now let's build your tab. But first select your choice of tab to build: